Continued Win32/trickbot.ak and Win32/Kryptik.GJRP activity

Recommended Posts

Hello. We have continued activity on different systems from these two trojans showing up on our ESET Remote Administrator. What is odd (to me) is that activity is showing up on systems that never so much as opened a web browser. ESET is terminating connections and deleting, but the logs are full of this over and over.

I've done some searching, but I do not know why systems continue to get reinfected, especially ones that are never logged on or use email / web browser.

What is the next step with this? I am not sure if getting boot logs and such from these will do anything, since its various systems doing it, so there has to be something that continues to infect them? Much help would be appreciated. Should we reach out to support?

Share this post

Link to post

Share on other sites

This is a good example of how disabling the LiveGrid feedback system can negatively affect cleaning capabilities. I've requested a suspicious file from the user's machine and recommended to enable submission of suspicious files. With that enabled, the suspicious file would have already been submitted through LiveGrid and a detection would have been added for proper recognition and cleaning.